|Main Archive Page > Month Archives > selinux archives|
Awesome ! What would I do without this maillist. Thanks soo much for your wonderful help as always :-)
From: Daniel J Walsh [mailto:email@example.com] Sent: Thu 1/7/2010 3:52 PM
To: Stephen Smalley
Cc: Hasan Rezaul-CHR010; Tomas, Gregg A (IS); firstname.lastname@example.org Subject: Re: Help with an SELinux AVC event...
On 01/07/2010 03:43 PM, Stephen Smalley wrote:
> On Thu, 2010-01-07 at 15:37 -0500, Hasan Rezaul-CHR010 wrote:
>> Hi All,
>> I have a C application task called "sswd" on my Linux system, that
>> opens up the /var/log/audit/audit.log file every 5 seconds, and checks
>> to see if there are any new AVC denies.
>> I have had this same task doing the same thing for the last few years
>> on a Linux system running selinux. And I have never seen these events
>> in audit.log before complaining about the sswd task... I used to use
>> older selinux packages, and ran the Fedora Core 7 'strict' policy
>> together with some custom policies.
>> Recently we upgraded our SELinux packages to the very latest (similar
>> to Fedora 12), and we are using Refpolicy as a base policy.
>> In the /var/log/audit/audit.log file, I see the following event pop up
>> every 5 seconds, and I am guessing its because "sswd" tries to open up
>> the audit.log file every 5 seconds for reading.
>> 1. Can you help me understand what this event is really saying?
>> 2. I have already taken the audit.log file, and used audit2allow to
>> generate any allow rules necessary, but it didnt help to get rid of
>> this particular event.
>> 3. Can I add any specific policy allow lines or transition rules in my
>> custom policy files to get rid of this repeated event ?
>> Thanks in advance.
>> The event that pops up every 5 seconds in audit.log is:
>> type=SYSCALL msg=audit(1262874266.422:260): arch=14 syscall=5
>> success=yes exit=24 a0=1002b9e4 a1=0 a2=1b6 a3=1b6 items=1 ppid=2463
>> pid=2794 auid=4294967295 uid=0 gid=601 euid=0 suid=0 fsuid=0 egid=601
>> sgid=601 fsgid=601 tty=(none) ses=4294967295 comm="sswd"
>> exe="/usr/app/bin/sswd" subj=system_u:system_r:init_t:s0-s15:c0.c255
>> type=CWD msg=audit(1262874266.422:260): cwd="/data"
>> type=PATH msg=audit(1262874266.422:260): item=0
>> name="/var/log/audit/audit.log" inode=2061 dev=fd:07 mode=0100600
>> ouid=0 ogid=0 rdev=00:00
> > That's your audit configuration (/etc/audit/audit.rules), not SELinux. > You have an audit rule that says to log all access to the audit log > file, presumably copied from the sample audit rules for the CAPP or LSPP > configurations. Looks like this in audit.rules: > -w /var/log/audit/ -k LOG_audit > > I think you'd be better off using audispd to dispatch audit events to > your program rather than directly reading audit.log yourself.
>> root@hapWibbSc2:/var/log/audit# ps -eZ | grep sswd
>> system_u:system_r:init_t:s0-s15:c0.c255 2781 ? 00:00:00 sswd
>> root@hapWibbSc2:/var/log/audit# cd /usr/app/bin
>> root@hapWibbSc2:/usr/app/bin# ls -l sswd
>> -rwxrwxr-x 1 root root 217204 Jan 1 07:49 sswd
>> root@hapWibbSc2:/usr/app/bin# cd /var/log/audit/
>> root@hapWibbSc2:/var/log/audit# ls -lZ
>> -rw------- root root system_u:object_r:auditd_log_t:s15:c0.c255
You probably want to steal the code in sedisp in the setroubleshoot package, since this is exactly what it does. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to email@example.com with the words "unsubscribe selinux" without quotes as the message.